metsw24-max opened a new issue, #50075: URL: https://github.com/apache/arrow/issues/50075
### Describe the bug `to_hex_int64` and `to_hex_int32` in `cpp/src/gandiva/precompiled/string_ops.cc` allocate the arena buffer with exactly the maximum number of hex digits (`2 * sizeof(int64_t)` = 16, `2 * sizeof(int32_t)` = 8), but then call `snprintf` with a size of that value `+ 1`. For a value that uses the full digit width (e.g. `to_hex(-1::bigint)` → `FFFFFFFFFFFFFFFF`, or `INT64_MIN`/`INT32_MIN`), snprintf writes all digits plus a trailing NUL, i.e. one byte past the end of the allocation. `gdv_fn_context_arena_malloc` hands out exactly the requested number of bytes from the arena, so the NUL terminator corrupts the adjacent arena allocation (out-of-bounds write). This is the same off-by-one that was just fixed for `gdv_hash_using_openssl` in #49780 / GH-49752; these two functions were missed. ### Component(s) C++, Gandiva -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
